Need help for line breaking

RobertRi · ‎11-19-2013

Hi

I have a problem with an logifle wich has over 95% single line events and a few multiline events.

These multiline events have this format

START*A .....
   ....
   ....
   ....
END

How can I configure I splunk to keep this lines together as a one multiline event?

Thanks for your help
Rob

RobertRi · ‎11-19-2013

Yes, the inner multiline lines are indented with tabs

gkanapathy · ‎11-19-2013

Then:

[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?:XSET|XGET|START|\?|XKS|XDEL)

may do it. Or,

[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?!(?:END|\t))

gkanapathy · ‎11-19-2013

for best performance, you want to set SHOULD_LINEMERGE = false, which disables all rules other than LINE_BREAKER. but generally indexing performance is not a problem and so a clearer rule may be better.

RobertRi · ‎11-19-2013

I have played around with the data preview in the UI (really cool thing!) and found that this works too.

MUST_NOT_BREAK_AFTER=^START\*\w+\s
MUST_BREAK_AFTER=^END
SHOULD_LINEMERGE= true

In case of performance, did you recommend your solution with the LINE_BREAKER or my way?

Thank you very much for your help!
Rob

gkanapathy · ‎11-19-2013

So, with the multi-line events, are the inner lines actually indented with spaces or tabs? Or is that just how you formatted it?

RobertRi · ‎11-19-2013

The single lines are really different
They begin with ..

XSET
XGET
START ......... END
?
XKS
XDEL

gkanapathy · ‎11-19-2013

what do the single line events look like?

Need help for line breaking

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio